\chapter[Problem Analysis and Requirements]{Problem Analysis and Design Requirements}\label{cha:requirements}
This chapter firstly analyses the problems of the current Wi-Fi sharing
models in detail. Then we 
present the requirements placed on the design and
implementation of a secure and scalable Wi-Fi Sharing system. 

\section{User Access Control}
The term \emph{user access control} refers to both authentication and
authorization. 
In authentication, the system makes sure that users or systems are
authentic, i.e. they are  
the ones who they claim to be. The authorization on the other hand takes
place
after successful authentication to decide what kind of resources is
available for the user or system. 

\subsection{Authentication}
For authentication, current Wi-Fi sharing models like FON use a wireless 
access point controller software like ChilliSpot \cite{chillispot} which provides 
a (by SSL protected) web-based authentication interface. For large systems 
like FON,  
dedicated RADIUS-servers are needed, which are run centralized by the
community. Typically, a mobile user gets connected to the access point, but the
traffic is blocked. If the
user tries to use the browser, he will be directed to the login website,
which could be protected by a SSL-certificate.
The traffic is unblocked only after the user authenticates himself via the
web portal. However, this approach has  problems in scalability, and
especially it does not provide perfect protect for the usernames and passwords. 
We describe problems in the following sections.

\subsubsection{Scalability}
In the authentication process as described above, RADIUS servers play a
central role because the authenticators (the wireless routers) depend on
the result of the authentication to unblock or block the traffic for a
mobile user. With the upgrowth of a Wi-Fi community, the scalability of the
availability of the RADIUS servers will affect the wireless network's
performance and may become the bottleneck of the login process.

As described in \cite{cisco_wlan}, it is very complicated and expensive to
guarantee high availability and scalability of the RADIUS servers. Many
factors must be considered like the underlying protocol, the total number
of mobile clients, authentication time outs and the deployment of 
redundant servers etc. A successful DoS attack against the RADIUS servers
would compromise the whole Wi-Fi sharing system. 
\subsubsection{Identity Theft}
Besides the scalability issue, an attacker may forge bogus login website
and thus steal usernames and passwords of legal users. This can be done
either through a manipulated access point or a fake access point.

As parts of its security measures, 
FON for example does not allow their members to have access to the operating
system of the router. Firmware is upgraded online which is
protected by public key encryption. However, there are many ways, either
using software bugs to inject script codes \cite{hacking_fonera} or
using the serial cable by opening the case of the router \cite{serial_fonera} to
``crack'' the community router,  thus the attacker will get root access to the operating
system.   
For example, the owner of a ``manipulated access point'' can change the
settings of the user control software like ChilliSpot to let mobile users
authenticate themselves in a bogus login site. In this way, 
the identity will be stolen.

Even if an attacker does not have physical access to a community 
router, 
it is easy for him to  deploy an
access point of his own. Since there is no authentication of the 
access
point and the only way that a user can recognize is the SSID of the AP, 
it is
easy for an attacker to establish a fake community access point.
The attacker configures his access point with 
a SSID name which is characteristic for the  community. 
The mobile user gets connected with the fake AP and then will be directed
to a fake login website which looks like the real login site of the
community.
After the user
inputs his username and password, he will get the Internet access but he will
not know that he has just revealed his secret credentials.

Also the plain text transmission can be exploited by attacker to steal
identity, we will discuss this problem in 
section
\ref{sec:plaintext}.
\subsection{Authorization}
After successful authentication, the bandwidth provider in the current
Wi-Fi sharing model 
has completely no control over the
activities of the guest users. Full Internet access is granted to the mobile
user so that he can do everything he wants. 

For illegal downloads which would violate the intellectual and industrial
property or activities like spreading child pornography, the track of the
criminal will end at the IP address of the access point. As described in
section \ref{sec:liability}, the logs of Wi-Fi communities like FON can
not help much in tracking the criminals. This leads the operator to a legally
insecure situation.

\section{Confidentiality}\label{sec:plaintext}
Confidentiality is a fundamental requirement for wireless networks. The
lack of confidentiality in the current Wi-Fi sharing model like FON does not only lead to the
lost of privacy, but also to security leaks.  
We explain in the following two possible scenarios in connection with the
plain text transmission.
\begin{enumerate}
\item Any attacker with a wireless network interface in \emph{monitoring mode}
can easily read all the traffic in the air and sniff sensible contents like
e-mails, login data, etc., without exposing himself.  
Since the mobile user is asked to authenticate himself via the web portal
using username and password, he may think that a secure connection is used
and do not care about security by taking application
level measures like SSL or SSH.
\item 
An attacker can easily eavesdrop the mappings between MAC address and the
IP address of an authenticated user, because the transmission is done in plaintext. As described in
\cite{wifi_threats}, this makes attacks like \emph{MAC spoofing} and
\emph{session hijacking} possible. An attacker just needs to listen to the
traffic of an authenticated user and to find out his MAC address. Then he
spoofs his own MAC address as the address of the victim and thus
mirror the wireless card of the victim. This may cause IP address
conflict but the attacker may firstly impersonate the AP and send the legal
user a 802.11 MAC disassociate message, or more sophisticated, the attacker
can wait until a legal user close this connection and immediately take over
the session before the access point assumes that the connection is not
valid anymore. Since the time-out for authentication on most access points
are minutes or even hours, there will be enough time for an attacker to
commit crime in the name of a legal user.
\end{enumerate}
\section{Legal Liabilities}
\subsection{Contract issues}
Internet service providers normally restrict their service to one
person/household or one business unit, as specified in the written terms
of service.
For example, SBC Yohoo! has the following restriction in their term of
service \cite{yahoo_agb}:
\begin{quote}
\textbf{Restricted Use}

``You agree not to permit anyone else to use your Member Account and that
each Sub Account may only be used by one member of your household or
business. You agree that the Service is not to be used to host peer-to-peer
applications that you are not actively using. You agree that the Service is
not to be used to trunk or facilitate public Internet access (``Hotspots")
or any other Public Use of the Service, except for FreedomLink.''
\end{quote}

For user type ``alien'' of FON model, who earns money by sharing his
bandwidth, there are more restrictions. Most ISPs
prohibit resale of their bandwidth. For example the restriction paragraph from terms of service
of Verizon Online: \cite{verizon_agb}
\begin{quote}

``You may not resell the Broadband Service, use it for high volume purposes, or
exceed the bandwidth usage limitations that Verizon may establish from time
to time for the Service.''
\end{quote}
Since FON started the community, they have negotiated with different ISPs
about Wi-Fi sharing,  so
that currently there is  some kind of  relaxation for Wi-Fi sharing. At
the moment, a few ISPs explicitly welcome the Wi-Fi
sharing, like the ISP company  Speakeasy which makes a statement about
Wi-Fi sharing in their terms of
service \cite{speakeasy}:
\begin{quote}
``Speakeasy has ...
one of the most progressive wireless
sharing policies in the business.

Wireless networking and publicly shared wireless networks present exciting
new opportunities to share information and connectivity resources with one
another - we encourage you to explore it!'' 
\end{quote}
Other ISPs agree or tolerate only the ``Linus mode'' of Wi-Fi sharing in 
FON.
Recently, the British Telecommunications (BT) and FON have started a BT FON Community
\cite{bt_fon} to let BT broadband subscribers to opt to join the FON
Community with preconfigured hardware provided by BT. 

But the legal liability of activities in connection with the IP address is
still uncleared. We discuss this problem in the following section.
\subsection{Liability in Connection with IP address} \label{sec:liability}
As described in section \ref{sec:nat}, the NAT deployment leads to the fact that
all users using an access point are logically using the IP address of the
access point. 
As described in \cite{wifi_high_crimes} and \cite{wifi_faq}, the liability
of an access point operator in many states and countries is still an ``area of ambiguity''. 
In Germany however, there is a court judgment  according to which the
operator of an open wireless access point must be responsible for the
illegal music downloads from the Internet, which
started by somebody else from his access point \cite{haftung_urteil}. 

Organizations like FON claim that they solve the problem by logging
the activities of their members \cite{fon_blog}. But the logs say nothing 
but \emph{which
user has used which AP at what time}. This will not help to track the
criminal who commits cyber felony. Furthermore, a sophisticated
criminal could use a stolen identity for such activities in name of a legal
user which makes tracking much more difficult.

\section{Other Aspects}
As described in \cite{bjoerck}, other threats like spying the network with 
FON router, disseminating
worms or viruses through the FON network etc. are also possible. But these
will be out of the scope of our thesis.
\section{Design Requirements}
In this section, we present the requirements on design and implementation of
a secure and scalable Wi-Fi sharing architecture. The requirements are
derived from the shortcomings of the current Wi-Fi sharing models and
should be used as guideline for the upcoming design and implementation
chapters.
\subsection{User Access Control}
The fact that  dedicated RADIUS servers are deployed in the
current modes like FON implies that the authentication is centralized. This
makes scalability of the system difficult. A decentralized authentication 
system will make the system much more flexible and
scalable. A peer-to-peer based decentralized authentication system will be
more resistant to attacks,  and the instability of the network will not
affect the whole system.

Another aspect comes together with the user interface of the
authentication. The web-based authentication requires user interaction and
input of the user credentials. The current mobile devices
such as mobile phones, PDA or even medical sensor nodes and body sensor
nodes have either no input devices or it is inconvenient to input username
and password. On the other hand, certificate based strong authentication does not
require user interaction and provides high security if everything is configured
in the right way.

After authentication, there should be possibilities for authorization. The
mobile user should only be allowed to connect with his own home router and from
there to go to the Internet. Firewall rules ensure that the mobile user
will not be allowed to access the private network of the operator.
\subsection{Confidentiality}
Confidentiality is one of the most important cornerstones in security.
According to the definition of the International Standard Organisation
(ISO)
\cite{iso}, confidentiality means  ``ensuring that information is accessible only to those
authorized to have access". 

Since the wireless networks use broadcast for data transmission, the only
way to achieve confidentiality is to use encryption. Adequate strong
encryption algorithm should be used and 
only the mobile user can decrypt the message. This does not only
protect the privacy, but also prevents attacks which are caused by the
plain text transmission like MAC spoofing. 
\subsection{Legal Liability}
The legal liability is the most trickiest aspect in Wi-Fi sharing.
Authentication can be done with various possibilities, security can be
achieved through encryption, but the liability problem can not be solved
only by techniques. Laws of different countries have different regulations
on the liability of Wi-Fi sharing, so that this aspect must be considered
at the beginning phases of design and implementation.
\subsection{Mobility}\label{sec:requirement_mobility}
With the spreading deployment of wireless networks, it is quite common,
especially in residential areas, that a mobile user can receive signals of
more than one access points. In metropolis, there are many places or
streets where a seamless coverage of Wi-Fi
signal is possible. 
Thus features like \emph{macro mobility} as defined in section
\ref{sec:mobility_def} should also be
considered at design.
\section{Summary}
In this chapter, we discussed firstly the problems of the current Wi-Fi
sharing models in detail. User access control, security and legal
liability are three biggest problems of the current Wi-Fi sharing models.
We briefly introduced the possible attack scenarios and threats based on the
shortcomings.

Then we presented the requirements for the design and implementation of our
peer-to-peer Wi-Fi sharing system. A distributed and scalable user
access control should be preferred and the transmission should be
encrypted. Attacks like man-in-the-middle attack or MAC spoofing should not be possible.
Finally, the legal liability of operating a wireless access point should be
also considered.
